ISACA Journal Author Blog

ISACA > Journal > Practically Speaking Blog > Posts > Looking Beyond Meeting PCI DSS Requirements by Cloud Service Providers

Looking Beyond Meeting PCI DSS Requirements by Cloud Service Providers

| Published: 9/4/2012 1:31 PM | Permalink | Email this Post | Comments (0)
Adesanya AhmedAdesanya Ahmed, CRISC, CGEIT, ACMA, ACPA
With the advent of new technologies cloud computing has the ability to offer organizations long-term IT savings, reductions in infrastructural costs and pay-for-service models. By moving IT services to the cloud, organizations are more geographically distributed than ever before and the pace of business gets faster every day. Online collaboration has become a business necessity—there is no other way for distributed teams to work as quickly and efficiently as business demands. This means that exploitation will change from systems to web. Due to these changes, today’s business needs demand that applications and data not only move across physical, international borders, but to the cloud, and be accessed by third parties. This loss of control is significant for security teams that must not only keep data safe, but comply with the necessary security standards, e.g, Payment Card Industry Data Security Standard (PCI DSS).
Mobile access makes it more difficult to meet these security requirements. A secure file sharing solution must be able to work with the wide variety of mobile devices that business users are carrying, including personal devices owned by employees, as well as business devices tested and configured by the IT department. Many users carry multiple devices—for example, a Smartphone issued by the IT department, along with a tablet for personal use. A secure file sharing solution must be able to support all these devices without requiring the organization to hire an army of technicians to install and maintain special security software on every mobile device that might potentially access the organization’s cloud server.
While complying with security standards goes a long way toward mitigating risk, good policy planning and enforcement can do even more. The following needs to be considered for bring your own device (BYOD):
  • Mobile devices should never be allowed to store personal information about customers or intellectual property.
  • Access to the corporate network using a BYOD should be based not only on the user’s role in the business, but also on his/her location and the connection used, such as from inside or outside the corporate network, or through a VPN. For example, a connection via an unsecured Wi-Fi network that is not going through the corporate VPN should be blocked.
  • VPN access should also be restricted to specific business tasks since an access all areas approach is not necessary and is too risky.
  • Extend network access control (NAC) technology should be used to provide the necessary checks to establish a mobile device’s access rights based on its patch and antivirus status and application configurations.

Users need to appreciate that losing a mobile device is not just an inconvenience; it might also be the cause of a data breach, so there has to be a strong focus on avoiding loss or theft. To reduce theft or misuse, your organization should conduct risk training for end users that emphasizes information asset ownership and physical security awareness. It should also consider stronger disciplinary measures, including suspension or even termination in the event of a serious breach and the implementation of a policy to focus employees’ attention on safeguarding their phones and Wi-Fi equipment.

Read Adesanya Adesanya Ahmed’s recent Journal article
Meeting PCI DSS When Using a Cloud Service Provider,” ISACA Journal, volume 5, 2012.


There are no comments yet for this post.